Recommendations for Securing a Web Server

In Brief

Mail servers are special servers in the sense that at least part of a mail server has to be connected to the Internet. As explained in the article on e-mails, mail servers can be separated into one or two parts, where at least the MTA part (Mail Transfer Agent) must be connected to the Internet. Because of this, it is also recommended to follow the general recommendations for servers connected to the Internet.

Security Measures

• It is strongly recommended to use anti-virus software to scan e-mails passing through the server. This is done to protect recipients from malicious code. Anti-virus software should be regularly updated to recognise and remove the latest malicious code. Draft and enforce a sectoral policy on Operational and communications aspects – Protection against malware.
• It is strongly recommended to use different anti-virus software for the e-mail than for agent workstations. This increases the probability of detecting a virus.
• It is strongly recommended to activate a spam filter at server level. Draft and enforce a sectoral policy on Operational and communications aspects – E-mail.
• It is strongly recommended to configure the e-mail server to prevent all mail relays. This means that malicious users from the Internet will not be able to use the mail server to send messages by using its e-mail relay function.
• It is recommended to separate the MTA server (Mail Transfer Agent) and the MDA server (Mail Delivery Agent). The MTA should be in the DMZ and the MDA inside the entity network. A corporate firewall can be set up to provide maximum security. Draft and enforce a sectoral policy on access control – External connections and Separation of networks.
• It is strongly recommended to apply a procedure for the creation and deactivation of e-mail accounts. User accounts are created upon the arrival of each new agent. When an agent leaves or is transferred, their former access to electronic mail is closed and their access account is deactivated, so they cannot continue to send and receive e-mails using their old address. Draft and enforce a sectoral policy on human factors and a sectoral policy on Access control – Access control policy and Access rights management.
• It is strongly recommended to draw up an Acceptable Use Policy for e-mail and to make all users aware of this policy. They should respect the charter for the good of everyone. Draft and enforce a sectoral policy on human factors as well as a sectoral policy on Operational and communications aspects – E-mail.
• It is strongly recommended to train all agents on the risks inherent to the use of e-mails.
• It is recommended to implement encryption functionalities if in-house or confidential content is going to be transferred via e-mail. Draft and enforce a sectoral policy on System development and maintenance- Use of encryption.
• It is strongly recommended to introduce a method to combat SPAM, such as SPF, DKIM or DMARC.